According to the Cost of a Data Breach 2022 Report by IBM/Ponemon Institute, the global average cost of a data breach in 2022 was $4.35 million. Breaches in the health care industry were the costliest at $10.1 million on average, and breaches in the U.S. were the most expensive at $9.44 million. These attacks (and the potentially severe costs of responding to and remedying them) can spark ripple effects on a company’s financial viability and reputation.

Civil litigation arising from cyber risks is also growingly common. In addition to litigation filed by consumers and other parties affected by an attack, in October 2021, the U.S. Department of Justice announced a new Civil Cyber Fraud Initiative (CCFI). The CCFI uses the False Claims Act to hold federal contractors and grantees accountable for knowingly furnishing deficient cybersecurity products/services, misrepresenting cybersecurity practices, or knowingly violating obligations to report cybersecurity incidents.

In light of this increased scrutiny and exposure to risk, businesses have to do more up front to mitigate or prevent loss. One place to start is by procuring cyber insurance and negotiating favorable terms. To that end, we offer these 10 best practices.

Your guide to mitigating cyber risks and maximizing insurance recovery

1. Complete the application carefully and accurately

Cyber insurance applications can be highly technical and lengthy. Moreover, one of the first places insurers look when presented with a cyber claim is the insurance application to see if the claim indicates any potentially inaccurate representations. Accordingly, for every placement or renewal, it is important for policyholders to engage in – as far in advance as possible – a thorough review of the application with their risk management, legal, security and information technology teams. Companies should also consult trusted brokers and coverage counsel to help guide the process in order to avoid later issues concerning the content or accuracy of the application. Policyholders should remember, however, that communications with insurance brokers may not be privileged.

2. Keep your unique business in mind

Cyber insurance policy forms are not standardized: They vary depending on the particular insurer and the industry served. Unlike with some other types of insurance, there may be material differences in insuring agreements, definitions, terms, exclusions and overall structure. Thus, policyholders should carefully evaluate and compare the policy forms when purchasing or renewing coverage and seek to tailor their insurance coverage to address any unique needs and potential exposures.

3. Negotiate flexible notice requirements and extended reporting periods

Regardless of your industry, one way to maximize insurance recovery under your cyber policy is to seek favorable notice requirements. Most cyber policies provide first-party coverage for certain costs and losses incurred directly by the policyholder as a result of cyber incidents, as well as third-party liability coverage for claims made against the policyholder. First-party cyber coverage is typically triggered by incidents first discovered during the policy period, and third-party liability coverage is usually written on a claims-made basis, providing coverage only for claims first made during the policy period.

Some cyber policies require the policyholder to provide notice to the insurer as soon as possible after becoming aware of any claim against them, but before the end of the policy period. That requirement can be problematic and difficult to comply with in the event that a loss is discovered or a claim is made very close to the end of the policy period. To help avoid coverage fights based on notice, check if the policy provides extra time to report losses or claims after the policy expires. If not, policyholders should negotiate such a provision to avoid any gaps in coverage.

4. If possible, make it retroactive

As mentioned above, first-party coverage in cyber policies generally contains a discovery trigger, and third-party coverage is generally claims-made. But incidents may be discovered or claims first made well after the underlying problem actually occurs. To maximize coverage, where possible, policyholders should negotiate for favorable retroactive dates to ensure that a cyber policy covers losses arising from undiscovered breaches or claims involving alleged wrongful conduct that occurred prior to the policy’s inception.

5. Ensure you have investigation coverage

Particularly given the rise in civil litigation, it is important for policyholders to ensure that their cyber policies include coverage for governmental or regulatory investigations and actions, including informal investigations, civil investigative demands or subpoenas, legal fees incurred to respond to those investigations or subpoenas or defend against an adversary action, as well as regulatory fines and penalties and consumer redress funds. Further, because coverage for certain fines and penalties may be restricted in some jurisdictions, coverage for regulatory fines and penalties should be as broad as allowed under applicable law.